Phishing to Fraud What if they don’t want one person’s account? Lee Heath (madhat@gmail.com)

Phishing to Fraud

What if they don’t want one person’s account?

Lee Heath (madhat@gmail.com)

Phishing to Fraud

• Introduction • The Phishing Hole• New Targets – Beyond Banks• Fraud• Cash• Cracking• Downfall

Phishing to Fraud

• Phishing• Fraud• Credit Cards– Sources– Card Not Present– Carding– BINs– CCV/CVC

Phishing to Fraud• Phishing Hole – Compromised Server– Old School– Extremely Common– More Obvious

• Phishing Hole – Phished/New Hosting Account– Brandjacking– Register.com– GoDaddy– Yahoo!

• Scripting• Packageify it…

Phishing to Fraud• Payment Processors

– PayPal– BoA Merchant Services– Chase Paymentech– Intuit Payment Solutions– Merchant One

• Hosting/Registrars– GoDaddy– Register.com– Intuit– Yahoo!

• Vulnerability Assessment Providers– Qualys– Trustwave

Phishing to Fraud

• How are the CC’s used?– Purchasing– Selling to card numbers– Cash

• How to get Cash?– Refunds– Transfers– Phishing

Phishing to Fraud

• Payment Processors– Credit Card No. Generation– Cracking CVV/CVC– Carding– BIN Attacks

Phishing to Fraud• How they get caught…– Trending– Referencing Hosted Data

• Images• Javascript• CSS

• What is wrong with this picture?– Too many transactions per second– Too many authorizations – Sudden increase in cost to the victim merchant

Phishing to Fraud

• Conclusion